LAS VEGAS — Attribution is one of the biggest problems on the internet when it comes to cyberwarfare. How do you hold a nation responsible for malicious attacks if you can’t determine whether the activity was state-sponsored?

Retired General Michael Hayden, former director of the National Security Agency, said Thursday that one solution being discussed in government is to simply forget about trying to determine if the source of an attack is state-sponsored and hold nations responsible for malicious activity coming from their cyberspace. His words were greeted with applause from the audience of computer security professionals.

“Since the price of entry is so low, and … it’s difficult to prove state sponsorship, one of the thoughts … is to just be uninterested in that distinction and to actually hold states responsible for that activity emanating from their cyberspace,” said Hayden during his keynote address at the Black Hat security conference. “Whether you did [the attack yourself] or not, the consequences for that action [coming from your country] are the same.”

Asked later for examples of what the consequences to a nation might be, he suggested some kind of cyberexile, or a response that would thwart the flow of the internet from the suspect country in a way that would slow their cybercommerce and ability to communicate.

Hayden, who is currently a principal at the Chertoff Group, a security consultant company founded by former Homeland Security Secretary Michael Chertoff, focused his talk on cyberwarfare and acknowledged that the term is thrown “pretty much at anything unpleasant.”

He said the U.S. military doesn’t consider intelligence attacks acts of war but the kind of “normal espionage thing that routinely happens between states.”

“Without going into great detail, we’re actually pretty good at this, and the Chinese aren’t the only ones doing this,” he said.
Outside of this, the U.S. and international community haven’t made much progress in determining what would actually constitute an act of war in this domain, but he said there have been some initial discussions about the idea of having global agreements to restrict certain kinds of activity. He cited denial-of-service attacks as an example of one type that could be restricted under a kind of Geneva Convention agreement on the rules of cyberwar.